True, tagging may be useful to grab all of the follow-on packets from the
same host. Heck, if he can figure out that the unusual UDP packets are
always coming from the same machine he could even use tcpdump (which is
probably the better tool if your only interest is capturing all the traffic
matching a very simple profile):
tcpdump -x -s 1500 host xx.xx.xx.xx proto udp
and if he can narrow it down to one port:
tcpdump -x -s 1500 host xx.xx.xx.xx proto udp port yy
Also, Junaidi next time try to put your message text above the "Matt
Kettler wrote:" bit or leave that line out entirely. This message it makes
it look like you are quoting me talking about tagging, which you are not,
my quote begins under that :)
At 06:04 AM 3/14/2002 +0800, Junaidi Bin Sapari wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>>On Thursday 14 March 2002 02:59, Matt Kettler wrote:
>>Snort is able to do tagging. This is based on the rule which is triggered.
>Once a rule is triggered, all the traffic involving the source host is
>logged. Below is one of my example, so just apply the same for which
>particular rules you want.
>(from web-iis.rules)
>alert tcp $EXTERNAL_NET any -> $IIS_SERVERS 80 (msg:"WEB-IIS cmd.exe access";
>flags: A+; content:"cmd.exe"; nocase; classtype:web-application-attack;
>sid:1002; rev:2; tag: host, 300, packets, src;)